Re: Vpn Pix to Pix connection problem

dcristoni · ‎12-07-2002

I have a Vpn Pix to Pix.

Pix A with internal network A and Pix B with internal network B

Communication through Vpn is ok and network host A be able communicate with network host B.

I have a third network C connected at network B through Cisco Router 1600.

Cisco Pix in network B have a route inside 192.168.3.0 255.255.255.0 192.168.2.1 (ip Cisco Router 1600 in betwork B).

Network A is 192.168.1.0

Network B is 192.168.2.0

Network C is 192.168.3.0

Network host A don't reach to communicate with network host C when host network B be able communicate with network host C.

My question is this :

What do I configure on the Pix to resolve the problem?

how do i configure the television to activate the communication between Network host A and network host C?

Many Thanks

gfullage · ‎12-08-2002

I'm assuming you want to communicate across the VPN here. In PIX-A you need to change your crypto and NAT 0 access-lists to be:

> access-list xxx permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

> access-list xxx permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

Make sure PIX-A has a route to the 192.168.3.0 network pointing out the outside interface (same as the route for 192.168.2.0). Then on PIX-B you need to update it's crypto and NAT 0 access-lists to be:

> access-list xxx permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

> access-list xxx permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0

tahirk · ‎12-08-2002

Hi

Can you please send me the pix -to -pix vpn configuration between Head office and multiple remote sites.

Many Thanx

Tahir Khan

Network Engineer

dcristoni · ‎12-10-2002

My configuration:

PixA

: Saved

:

PIX Version 6.1(3)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list acl_in permit icmp any any

access-list acl_in permit tcp any any

access-list acl_in permit udp any any

access-list acl_out permit icmp any any

access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list 110 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list 110 permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

pager lines 24

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside x.x.x.x 255.255.255.248

ip address inside 192.168.1.254 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.1.0 255.255.255.0 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 x.x.x.x

nat (inside) 0 access-list 100

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group acl_out in interface outside

access-group acl_in in interface inside

route outside 0.0.0.0 0.0.0.0 81.72.205.30 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto map ToPixB ipsec-isakmp

crypto map ToPixB 10 match address 110

crypto map ToPixB 10 set peer x.x.x.x

crypto map ToPixB 10 set transform-set myset

crypto map ToPixB interface outside

isakmp enable outside

isakmp key ********** address x.x.x.x netmask 255.255.255.255

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 1000

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:ff629b12df4d0dc56077cb8b8c1577ad

PixB

: Saved

:

PIX Version 6.1(3)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list acl_in permit icmp any any

access-list acl_in permit tcp any any

access-list acl_in permit udp any any

access-list acl_out permit icmp any any

access-list 100 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list 110 permit ip 192.168.2.0.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list 100 permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list 110 permit ip 192.168.3.0.0 255.255.255.0 192.168.1.0 255.255.255.0

pager lines 24

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside x.x.x.x 255.255.255.248

ip address inside 192.168.2.254 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 x.x.x.x

nat (inside) 0 access-list 100

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group acl_out in interface outside

access-group acl_in in interface inside

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

route inside 192.168.3.0 255.255.255.0 192.168.2.1 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto map ToPixA 10 ipsec-isakmp

crypto map ToPixA 10 match address 110

crypto map ToPixA 10 set peer x.x.x.x

crypto map ToPixA 10 set transform-set myset

crypto map ToPixA interface outside

isakmp enable outside

isakmp key ******** address x.x.x.x netmask 255.255.255.255

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 1000

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:a1c8f6e20b7d9dd80b5d724d567cf943

Many Thanks

kdurrett · ‎12-10-2002

Tahirk,

Other than pixA missing part of its config, probably just didnt make the paste:

crypto map ToPixB ipsec-isakmp

should be

crypto map ToPixB 10 ipsec-isakmp

Configuration looks good. Did you clear the tunnels out? "clear crypto ipsec sa" and "clear crypto isakmp sa". How about clear xlate, wr mem and reload? Does the 192.168.2.1(im assuming this is a router and not a dual homed server) have a static route for the 192.168.1.0/24 pointed back to 192.168.2.254? Or a default route to 192.168.2.254? After testing "Both ways", post the output from your "show crypto ipsec sa" from both pix so we can see which side the problem is on.

Kurtis Durrett